Beruflich Dokumente
Kultur Dokumente
John Manferdelli
jlm@cs.washington.edu
jmanfer@microsoft.com
This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability
for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.
Key Schedule
Plaintext
k1
k2
r Rounds
kr
Ciphertext
JLM 20060212 14:16 3
AES Requirements
• 128, 192, 256 bit keys
• Algorithms will be judged on the following factors:
– Actual security of the algorithm compared to other submitted algorithms
(at the same key and block size).
– The extent to which the algorithm output is indistinguishable from a
random permutation on the input block.
– Soundness of the mathematical basis for the algorithm’s security.
– Other security factors raised by the public during the evaluation
process, including any attacks which demonstrate that the actual
security of the algorithm is less than the strength claimed by the
submitter.
Basic Structure
1. Whiten
2. 8 rounds of key independent mixing
3. 16 rounds of keyed Feistel transforms (2 S-boxes)
4. 8 rounds of key independent mixing
5. Whiten
• Input
• p consisting of Nb words
• k with Nk words (Nk= 4,6,8)
• State
• 4 rows, Nb columns
• Key
• 4 rows, Nk columns
• Output
• c consisting of Nb words
All tables filled first col first s0,0, s1,0, s2,0, s3,0, s0,1, …
• Design Philosophy
• Wide Trails
• 32 bit word operations
• Non-linear substitution uses arithmetic over GF(2)
• Mixing uses polynomial arithmetic mod (x4+1)
Nk=4 10 12 14
Nk=6 12 12 14
Nk=8 14 14 14
For Nb= 4
For Nk= 4
ByteSub(b)
if b==0
t= 0
else
t= b-1
return(Mt + a)
M= circ(1,0,0,0,1,1,1,1)
a= (1,1,0,0,0,1,1,0)T
Arithmetic over GF(2) with m(x)= x8+x4+x3+x+1.
MixCol(state)
multiply each column of state by c(x) (mod x4 +1)
c(x)= 0x03 x3 + 0x01 x2 + 0x01 x + 0x02
InvMixCol(state)
multiply each column of state by d(x) (mod x4 +1)
d(x)= 0x0b x3 + 0x0d x2 + 0x09 x + 0x0e
AddRoundKey(i,state)
state= state + W[i]
JLM 20060212 14:16 20
ShiftRow
SubByte(w= (a,b,c,d)))
w= (ByteSub(a), ByteSub(b), ByteSub(c), ByteSub(d))
return(w)
RotByte(w= (a,b,c,d))
w= (b,c,d,a)
return(w)
Implementation 1 1 3 3 2
SW Perf 2 2 3 1 1
HW Perf 1 2 3 3 2
Design features 2 1 2 1 3
Plaintext:
PRNG(seed):
Ciphertext:
...
ai, sj ∈ Fq
Recurrence: sj+L= S j=0, 1 … L-1 aj sj+L-1
Initialization Iteration
S[0..255] = 0,1,…,255 i = (i + 1) mod 256
K[0..255] = Key,Key,Key,… j = (j + S[i]) mod 256
for i = 0 to 255 swap S[i] and S[j]
j = (j + S[i] + K[i]) mod 256 t = (S[i] + S[j]) mod 256
swap S[i] and S[j] Output S[t]
i=j= 0
• RC4 cannot enter states s: i= a, j=a+1, S[a+1]=1. There are N-2 of these.
• Notation
• Sr, ir, jr and tr denote the RC4 state during initialization after using key
words [0, 1, …, r].
• I(S), J(S), T(S), Z(S) are the state indicies, output index and first
output word of RC4 (i.e.- just after initialization is complete).
• T(S)=S[1]+S[S[1]], Z(S)= S[T(S)].
• Key is l-words long
• References
• Fluhrer, Mantin and Shamir. Attacks on RC4 and WEP.
• Mantin, Master’s Thesis.
Let Si be the state at time i and let <zi> be the output sequence.
H0= IV
Hi= f(Hi-1, xi)
Compression h(x)= g(ht)
Function (f)
Hash Value
Construction 1
Hi= E(g(Hi-1), xi) ⊕ Hi-1
Construction 2
Hi= E(xi, Hi-1) ⊕ Hi-1
Construction 3
Hi= E(g(Hi-1), xi) ⊕ xi ⊕ Hi-1
• SHA-1 has stood up best: best known theoretical attack (11/05) requires
264 operations.
512-bit input
160 bits of state
Compression
Function
For the 128 bit key, 128 bit block size version of Rijndael, using lookup tables
to reduce the computations required and assuming basic operations (32
bit lookup, 32 bit xor, etc) all take about .001 microseconds and your
code/data budget is under 16 MB, design a implementation of the round
operations that is faster than implementing each of the primitive
operations (ByteSub, ShiftRow, MixCol).
How long does each round take (about)?
Counter mode use of AES is used by selecting a nonce (n) and constructing
cipher blocks AESK(n||ctr), AESK(n||ctr+1), AESK(n||ctr+2),…. The
resulting bits are xored into the plaintext (as with the stream cipher).
What properties of AES make this safe? Can the keystream be
generated in parrallel and stored for later use? What performance
properties does this mode have over ECB?
0x08 0xa5 0xe9 0x09 0x45 0xc0 0xed 0xf1 0x6d 0x15 0xc2 0xab 0x7a 0xa4 0x3f 0x00
0x5d 0xfd 0x34 0xc3 0x4e 0x7b 0x9d 0x96 0x48 0xa3 0xd1 0x4a 0x75 0xb7 0x85 0xd8
0x38 0x76 0x7c 0x49 0x8f 0xd9 0x35 0xcc 0xfb 0xfe 0xf2 0xe6 0x13 0x56 0xec 0xa7
0x99 0xb0 0x2d 0x97 0xe7 0x1d 0xa9 0x16 0x9a 0xe2 0x64 0x53 0x5f 0x65 0xd3 0xc8
0x7d 0x10 0x8c 0x89 0x51 0xa1 0xd7 0x5b 0x68 0x74 0x02 0xdc 0x6f 0x43 0xe1 0x8b
0x3d 0x1c 0x23 0x1e 0xe0 0xb2 0x84 0xa8 0xbf 0xa2 0x2a 0x80 0xbb 0x6a 0x28 0x78
0xc5 0x24 0x86 0xb9 0x07 0xac 0xf0 0x52 0x17 0xf6 0xfc 0x67 0xb3 0x9e 0xcb 0x31
0x32 0x92 0xda 0x06 0xe4 0xd4 0x82 0xd5 0xf9 0xaa 0x9b 0x2b 0xb8 0x1a 0x3e 0xf8
0xdb 0xae 0x04 0x4c 0x36 0xc6 0x19 0x2e 0xd2 0x5c 0x20 0x11 0x4b 0x3b 0x0b 0x6e
0xb4 0x2c 0x69 0xc7 0xce 0x71 0x91 0xa6 0xaf 0xca 0x6b 0x60 0x94 0x5a 0x61 0x27
0xde 0x22 0x59 0xf4 0x54 0x25 0x42 0x0d 0xb5 0x7e 0x4d 0xbe 0x57 0x26 0xcf 0xef
0xff 0x03 0x0a 0x44 0x87 0x37 0x8e 0x12 0xbc 0x40 0x72 0x14 0x83 0x47 0xf7 0x1b
0x30 0x33 0x58 0x3a 0x81 0xf3 0x8d 0x9f 0x79 0x50 0x1f 0x3c 0x5e 0x0f 0xf5 0x62
0xbd 0xc4 0x95 0x73 0x93 0x55 0x41 0xb6 0x6c 0x21 0x70 0x4f 0xeb 0xea 0x98 0xfa
0x90 0x63 0x9c 0x18 0x77 0xdd 0xe3 0xc9 0xba 0x46 0x01 0xcd 0x88 0x0e 0x39 0xc1
0x8a 0xb1 0x7f 0xee 0xe5 0xad 0x05 0xa0 0xd0 0xdf 0x2f 0x0c 0x29 0x66 0xd6 0xe8
In 0 1 2 3 4 5 6 7 8 9 a b c d e f
0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 0 0 0 6 0 2 4 4 0 10 12 4 10 6 2 4
2 0 0 0 8 0 4 4 4 0 6 8 6 12 6 4 2
3 14 4 2 2 10 6 4 2 6 4 4 0 2 2 2 0
4 0 0 0 6 0 10 10 6 0 4 6 4 2 8 6 2
5 4 8 6 2 2 4 4 2 0 4 4 0 12 2 4 6
6 0 4 2 4 8 2 6 2 8 4 4 2 4 2 0 12
7 2 4 10 4 0 4 8 4 2 4 8 2 2 2 4 4
8 0 0 0 12 0 8 8 4 0 6 2 8 8 2 2 4
9 10 2 4 0 2 4 6 0 2 2 8 0 10 0 2 12
a 0 8 6 2 2 8 6 0 6 4 6 0 4 0 2 10
b 2 4 0 10 2 2 4 0 2 6 2 6 6 4 2 12
c 0 0 0 8 0 6 6 0 0 6 6 4 6 6 14 2
d 6 6 4 8 4 8 2 6 0 6 4 6 0 2 0 2
e 0 4 8 8 6 6 4 0 6 6 4 0 0 4 0 8
f 2 0 2 4 4 6 4 2 4 8 2 2 2 6 8 8
10 0 0 0 0 0 0 2 14 0 6 6 12 4 6 8 6
11 6 8 2 4 6 4 8 6 4 0 6 6 0 4 0 0
12 0 8 4 2 6 6 4 6 6 4 2 6 6 0 4 0
Then
D1(0x34, 0xd)= {0x06, 0x10, 0x16, 0x1c, 0x22, 0x24, 0x28, 0x32}.
D1(0x34, 0x3)= {0x01, 0x02, 0x15, 0x21, 0x35, 0x36}.
And
(1) k e P1 ∆ D1(0x34, 0xd)
(2) k e P2 ∆ D1(0x34, 0x3)
(1) reduces the possible key set to {0x07, 0x33, 0x11, 0x25, 0x17, 0x23, 0x1d,
0x29}
(2) reduces the possible key set to {0x20, 0x14, 0x23, 0x17, 0x34, 0x00}.
The intersection (and actual possibilities) are { 0x17, 0x23}
Method
20 00 00 00 00 00 00 00
Use 1 round characteristic to right.
Undo effect of permutation matrix
and solve each S box separately. A’= 0 a’= 0
This allows us to solve for 48 key p=1
∆ F
bits.
This 1 round characteristic will be
used to estimate input xor in
subsequent rounds.
20 00 00 00 00 00 00 00
40 08 00 00, 40 00 00 00
• This characteristic occurs with
probability p=1/16 and forms
an estimate for the differential ∆ F
input of the 4th round of the 6
rounds.
• (00 20 00 08 00 00 00 04) !
∆ F
(00 00 04 00 00 20 00 08)
with p=1/16 is another such
characteristic.
∆ F
40 08 00 00, 40 00 00 00
JLM 20060212 14:16 73
Differential Cryptanalysis of 6 rounds
• Suppose (Li-1, Ri-1), ki are the inputs to round i. PL= L0, PR= R0.
• L6= R4 ∆ f(k6, R6)= L3 ∆ f(k6, R6) ∆ f(k4, R3)
• L6’= L3’ ∆ f(k6, R6) ∆ f(k6, R6*) ∆ f(k4, R3) ∆ f(k4, R3*)
• L6’ = CL and R6 =CR are known.
• Estimate L3’ = 40000000, R3’ = 40080000, using the differential.
• Set S= P-1(CL ∆ 40000000)= f(k6, CR) ∆ f(k6, CR *) ∆ f(k4, R3) ∆ f(k3, R3*)=
S1(E1) || S2(E2) || … || S8(E8) where E1|| E2|| … || E8 are the bits obtained
by applying E to 40080000.
• E1|| E2|| … || E8 =00100000000000000101000..0=
08||00||01||10||00||00||00||00.
• Since the input Xors to S2,S5,S6,S7,S8 are 0, f(k4, R3) ∆ f(k4, R3*) is 0 in
the corresponding output bit positions and we are left with the simple
differential: P-1(CL ∆ 40000000)= f(k6, CR) ∆ f(k6, CR *) for S2,S5,S6,S7,S8.
• Assume the W(i) are unrelated and follow progress of a change to W(1).
A B C D E
1 W1+ROL5(A)+f(B,C,D)+ A ROL30(B) C D
E+K
2 W2+ …
3 ROL30(-)
4
5 ROL30(W1+ROL5(A)+
f(B,C,D)+E+K)
6 W6+ … - fixes W1
perturbation
JLM 20060212 14:16 80
SHI-1 Error Propagation in Hash